[CentOS] an actual hacked machine, in a preserved state
Les Mikesell
lesmikesell at gmail.com
Wed Jan 4 03:40:38 UTC 2012
On Tue, Jan 3, 2012 at 6:49 PM, Bennett Haselton <bennett at peacefire.org> wrote:
>
>>> Of the compromised machines on the Internet, what proportion do you
>>> think were hacked via MITM-and-advanced-crypto, compared to exploits in
>>> the services?
>> Proportions don't matter. Unless you have something extremely
>> valuable to make this machine a target or someone captured your
>> password and connection destination it was probably a random hit of a
>> random probe. It doesn't matter if they are likely to work or not,
>> some do.
>
> I either disagree or I'm not sure what you're saying. What do you mean
> that "proportions don't matter"?
I mean, if you get hit by lightning, did it really matter that you
didn't have the more likely heart attack?
> If attack A is 1,000 times more likely
> to work than attack B, you don't think it's more important to guard
> against attack A?
It's not either/or here. You could be the guy who gets hit by lightning.
>>> Case in point: in the *entire history of the Internet*, do you think
>>> there's been a single attack that worked because squid was allowed to
>>> listen on a non-standard port, that would have been blocked if squid had
>>> been forced to listen on a standard port?
>> Generalize that question to 'do you think attacks are helped by
>> permitting applications to use ports the administrator didn't expect
>> them to use' and the answer is clearly yes. There are certainly rogue
>> trojans around that do who-knows-what on other connections while
>> pretending to be your normal applications.
>
> Well that seems like it would be trivial for the trojan to circumvent --
> just listen on the standard port, and if you receive a connection that
> contains the "secret handshake", switch that connection over into trojan
> mode, while continuing to serve other users' standard requests on the
> same port. Wouldn't that work? In that case it seems like a case of a
> restriction that might work until it becomes widely deployed enough for
> trojan authors to take it into account, at which point it becomes obsolete.
Do you lock your doors or just leave them open because anyone who
wants in can break a window anyway?
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list